Monday, February 06, 2006
Newspapers' Exposure demonstrates hidden risks
By Jaikumar Vijayan at ComputerWorld
Incidents such as the data security breach disclosed last week by The Boston Globe and the Worcester Telegram & Gazette—which inadvertently attached the credit card numbers of more than 200,000 subscribers to newspaper bundles—highlight the unexpected ways in which sensitive information can leak out of companies.
The data exposure by the two newspapers hammered home yet again the need for businesses to implement comprehensive policies for securing their information assets and then apply the appropriate controls to mitigate the risk of accidental compromises, according to security analysts. Ways to Lose Data
"Given the infinite number of ways business processes are implemented in firms, there are potentially an infinite number of ways in which data can be lost," said Arshad Noor, CEO of StrongAuth Inc., a compliance management services firm in Sunnyvale, Calif.
As a result, IT and security managers need to start thinking beyond network and system defenses, Noor said. "We have to go back to the core of our systems where the data sits and start securing it outward from there," he said.
The Globe and the Telegram & Gazette, a sister publication in Worcester, Mass., announced that discarded internal reports containing the full credit card numbers of as many as 240,000 subscribers were reused to produce more than 9,000 routing slips for bundles of the Jan. 29 Worcester Sunday Telegram. The bank-routing information of about 1,100 Telegram & Gazette subscribers who pay by check may also have been exposed when the newspaper bundles were sent to retailers and carriers.
The two newspapers are owned by The New York Times Co. and use a shared computer system. According to officials at the Globe, customer data was mistakenly printed out twice in recent weeks by business office workers at the Telegram & Gazette. The reports were then put aside so that the clean side of the paper could be used for other purposes, leading to the security gaffe.
The Globe managed to recover about 1,000 of the routing slips after it was alerted to the problem by a store employee, said Alfred Larkin, the newspaper's senior vice president of general administration and external affairs. Most of the other slips are believed to have been discarded, he said.
After the breach was discovered, the newspapers modified their business system so it prints only the last four digits of credit and debit card numbers. In addition, the Telegram & Gazette stopped its practice of reusing internal reports as routing slips, Larkin said, adding that the Globe hadn't done that to begin with.
The breach at the newspapers came just one week after companies in Seattle and Minneapolis disclosed separate data compromises potentially affecting hundreds of thousands of people. Both resulted from the theft of IT gear from employees' cars.
Other common snafus mentioned by analysts include failing to properly destroy storage devices, leaving confidential reports in conference rooms, subways or taxis, storing corporate documents on home PCs, and donating or auctioning systems that still contain data. In one case last April, a disk drive containing confidential data from the police department in Brandenburg, Germany, was auctioned off on eBay Inc.'s Web site for the equivalent of about $25.
It's impossible to implement controls for every eventuality. But Roberta Witty, an analyst at Gartner Inc., said companies should set up programs for classifying data and then apply mitigation controls based on the information's sensitivity and the perceived level of risk. "Just because it's not in electronic form doesn't mean you don't put controls over it," she said.
Also vital is training employees on the safe handling of data, said Prat Moghe, CEO of security vendor Tizor Systems Inc. in Maynard, Mass. "Companies often fail to see themselves as data brokers, though in a sense they are," Moghe said.
Incidents such as the data security breach disclosed last week by The Boston Globe and the Worcester Telegram & Gazette—which inadvertently attached the credit card numbers of more than 200,000 subscribers to newspaper bundles—highlight the unexpected ways in which sensitive information can leak out of companies.
The data exposure by the two newspapers hammered home yet again the need for businesses to implement comprehensive policies for securing their information assets and then apply the appropriate controls to mitigate the risk of accidental compromises, according to security analysts. Ways to Lose Data
"Given the infinite number of ways business processes are implemented in firms, there are potentially an infinite number of ways in which data can be lost," said Arshad Noor, CEO of StrongAuth Inc., a compliance management services firm in Sunnyvale, Calif.
As a result, IT and security managers need to start thinking beyond network and system defenses, Noor said. "We have to go back to the core of our systems where the data sits and start securing it outward from there," he said.
The Globe and the Telegram & Gazette, a sister publication in Worcester, Mass., announced that discarded internal reports containing the full credit card numbers of as many as 240,000 subscribers were reused to produce more than 9,000 routing slips for bundles of the Jan. 29 Worcester Sunday Telegram. The bank-routing information of about 1,100 Telegram & Gazette subscribers who pay by check may also have been exposed when the newspaper bundles were sent to retailers and carriers.
The two newspapers are owned by The New York Times Co. and use a shared computer system. According to officials at the Globe, customer data was mistakenly printed out twice in recent weeks by business office workers at the Telegram & Gazette. The reports were then put aside so that the clean side of the paper could be used for other purposes, leading to the security gaffe.
The Globe managed to recover about 1,000 of the routing slips after it was alerted to the problem by a store employee, said Alfred Larkin, the newspaper's senior vice president of general administration and external affairs. Most of the other slips are believed to have been discarded, he said.
After the breach was discovered, the newspapers modified their business system so it prints only the last four digits of credit and debit card numbers. In addition, the Telegram & Gazette stopped its practice of reusing internal reports as routing slips, Larkin said, adding that the Globe hadn't done that to begin with.
The breach at the newspapers came just one week after companies in Seattle and Minneapolis disclosed separate data compromises potentially affecting hundreds of thousands of people. Both resulted from the theft of IT gear from employees' cars.
Other common snafus mentioned by analysts include failing to properly destroy storage devices, leaving confidential reports in conference rooms, subways or taxis, storing corporate documents on home PCs, and donating or auctioning systems that still contain data. In one case last April, a disk drive containing confidential data from the police department in Brandenburg, Germany, was auctioned off on eBay Inc.'s Web site for the equivalent of about $25.
It's impossible to implement controls for every eventuality. But Roberta Witty, an analyst at Gartner Inc., said companies should set up programs for classifying data and then apply mitigation controls based on the information's sensitivity and the perceived level of risk. "Just because it's not in electronic form doesn't mean you don't put controls over it," she said.
Also vital is training employees on the safe handling of data, said Prat Moghe, CEO of security vendor Tizor Systems Inc. in Maynard, Mass. "Companies often fail to see themselves as data brokers, though in a sense they are," Moghe said.
# posted by raveneye @ 10:23 PM 
